Cookie still set on HTTP with ini_set('session.cookie_secure',1);

Question 1

The ini_set method requires a string value so update your code to the following:

ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.use_only_cookies', '1');

session_start();

Question 2

The session id will be sent to the client regardless of HTTP or HTTPS. You must make this distinction in your code because, apparently, PHP does not.

Fiddle with this on http (not https), leave cookie_secure set to 'on'. You will see that the cookie is transmitted to the client. (Use your favorite cookie analysis here.) But, on reload, the cookie is not submitted back to the server. cookie_secure - the client will transmit the cookie only over a secure connection.

<?php
  ini_set('session.cookie_secure','on');
  session_name('test');
  session_start();
  session_regenerate_id();
  echo "test: '".$_COOKIE['test']."'";
?>

Change the setting to 'off' and, after the second reload, you will see that the session cookie is transmitted back to the server.

To validate that you on a secure connection and should even call session_start:

<?php
  $secure = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] != "" );
  if(!$secure) {
    $r = "https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
    header("Location: $r");
    exit("use https!");
  }
  //if($secure) {
    session_start();
    /* and other secure happenings;;; */
  //}
?>

or How to find out if you're using HTTPS without $_SERVER['HTTPS']

Note: This looks like a security flaw in PHP, to me, since the session id will be transmitted in cleartext: according to OWASP this is exactly what the SecureFlag is intended to prevent. https://www.owasp.org/index.php/SecureFlag --- I am using PHP 5.5.8 ; Perhaps this is a 'feature' of the language. The definition seems to be directed solely toward the client and not the server.